The Aadhaar law allows sharing your ID information and all authentication record in interest of "national security", even as the phrase “national security” is undefined in the present bill, as well as the General Clauses Act. Thus, the circumstances in which an individual's information may be disclosed remains open to interpretation.

Section 33(1) permits the disclosure of an individual's demographic information following an order by a district judge. It says that in such a matter, prior hearing will be given to the UIDAI , NOT the person whose data is being disclosed!

Section 33(2), which permits disclosure of your data "in interest of national security", says such disclosures will be for three months initially, and a fresh renewal can be granted for another three months, with NO limitation on the number of such renewals.

This can lead to a user being under continuous surveillance, and without ANY notification to the user even after the surveillance ceases, violating one of necessary and proportionate principles on communications surveillance related to user notification and right to effective remedy. In some countries, this principle has been incorporated in law. For example, in Canada, the law limits the time of wiretapping surveillance, and imposes an obligation to notify the person under surveillance within 90 days of the end of the surveillance, extendable to a maximum of three years at a time.

Aadhaar also lacks provisions on giving notice to a person in case of breach of information, in case of third party use of data, or change in purpose of use of data, which were recommended by the Justice Shah Committee on Privacy in 2012.